The present invention relates to an identity bridge service system that provides identity information for identifying a user on a network.
Various application services are provided on a network, and authentication information such as a password and personal information which a user should manage to utilize application services is increasing.
To reduce such a load on a user, technique called identity (ID) federation is drawing attention. In the ID federation, an entity called a service provider (SP) provides application service to a user, an entity called an identity service provider (IDP) authenticates the user, and the entity called IDP manages the identity information of the user (an identifier (IDer) for identifying the user and attribute information such as a name and authority). When a user requests SP to provide service, the SP requests IDP to provide identity information so as to judge whether the service is to be provided or not. The IDP authenticates the user and when the authentication succeeds, it provides the identity information to the SP. The SP that receives user information from the IDP provides the service to the user.
In environment of the ID federation, a single sign-on (SSO) function is often provided and when a user is once authenticated by a specific IDP, the user can access to plural IDPs and SPs respectively having trust relationship with the IDP without authentication.
In the environment of the ID federation, however, as the identity information of a user is intensively managed by IDP, the IDP may be able to grasp all personal information of the user.
Then, in US-A1-2003-0149781, a method in which a user stores some of user information to plural IDPs with the user information distributed and the IDP and the SP manage relation between mutual user accounts is disclosed.
The SP acquires required identity information by accessing to one or plural IDPs and collecting attribute information distributed in the plural IDPs. At this time, each IDP judges whether the identity information is to be provided to the SP or not or whether the provision of his/her identity information is to be confirmed by a user or not according to policy set by the user beforehand. Conditions such as “published”, “confirmed by a user”, “publishable to only SP specified by a user” and “made anonymous” can be set on policy registered in an IDP by the user per identity information piece.